aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
111s
max time network
120s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1896-66-0x0000000006690000-0x0000000006A30000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1508	voiceadequovl.exe
1896	voiceadequovl.exe
536	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1508	voiceadequovl.exe
1508	voiceadequovl.exe
1508	voiceadequovl.exe
1508	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 536	1896	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	powershell.exe
1564	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	voiceadequovl.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeIncreaseQuotaPrivilege	1692	WMIC.exe
Token: SeSecurityPrivilege	1692	WMIC.exe
Token: SeTakeOwnershipPrivilege	1692	WMIC.exe
Token: SeLoadDriverPrivilege	1692	WMIC.exe
Token: SeSystemProfilePrivilege	1692	WMIC.exe
Token: SeSystemtimePrivilege	1692	WMIC.exe
Token: SeProfSingleProcessPrivilege	1692	WMIC.exe
Token: SeIncBasePriorityPrivilege	1692	WMIC.exe
Token: SeCreatePagefilePrivilege	1692	WMIC.exe
Token: SeBackupPrivilege	1692	WMIC.exe
Token: SeRestorePrivilege	1692	WMIC.exe
Token: SeShutdownPrivilege	1692	WMIC.exe
Token: SeDebugPrivilege	1692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1692	WMIC.exe
Token: SeRemoteShutdownPrivilege	1692	WMIC.exe
Token: SeUndockPrivilege	1692	WMIC.exe
Token: SeManageVolumePrivilege	1692	WMIC.exe
Token: 33	1692	WMIC.exe
Token: 34	1692	WMIC.exe
Token: 35	1692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1692	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1508	1596	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1596 wrote to memory of 1508	1596	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1596 wrote to memory of 1508	1596	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1596 wrote to memory of 1508	1596	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1508 wrote to memory of 1896	1508	voiceadequovl.exe	28
PID 1508 wrote to memory of 1896	1508	voiceadequovl.exe	28
PID 1508 wrote to memory of 1896	1508	voiceadequovl.exe	28
PID 1508 wrote to memory of 1896	1508	voiceadequovl.exe	28
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	31
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	31
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	31
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	31
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 536	1896	voiceadequovl.exe	34
PID 536 wrote to memory of 2012	536	voiceadequovl.exe	35
PID 536 wrote to memory of 2012	536	voiceadequovl.exe	35
PID 536 wrote to memory of 2012	536	voiceadequovl.exe	35
PID 536 wrote to memory of 2012	536	voiceadequovl.exe	35
PID 536 wrote to memory of 1580	536	voiceadequovl.exe	38
PID 536 wrote to memory of 1580	536	voiceadequovl.exe	38
PID 536 wrote to memory of 1580	536	voiceadequovl.exe	38
PID 536 wrote to memory of 1580	536	voiceadequovl.exe	38
PID 1580 wrote to memory of 1692	1580	cmd.exe	40
PID 1580 wrote to memory of 1692	1580	cmd.exe	40
PID 1580 wrote to memory of 1692	1580	cmd.exe	40
PID 1580 wrote to memory of 1692	1580	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1224
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cfab55f0811e73ed3816a24f961ce870

SHA1
0aed63ba8ab5f7e02573b4323e837492ef1d15b3

SHA256
7f45d20d48a448a764cefa146c7cdb6c79edca81a117a43260df8aa4d03b5a06

SHA512
2c957d1f11f19071c6f0215ab2bffad0ce64b912db7dc999ff6932be92e6b648d691ed983dca1c109f14c4c6a97225d0a74816afd2bdb3c605b19e8d1271f569

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
131.8MB

MD5
8486fd6c4732b0a1240ac7a92176e1de

SHA1
96e62c60e1464486ddc9016a38c024a789651d58

SHA256
0b11759c23f95b829fbe20c0990cf85a78d1d5fe0809ef7789f01981207252be

SHA512
b0c4d43f1e8162568206c6261d286b1d18eecea04000404dfa0112259591bab46360529f87450347e2d155e64738cd1c93226c27a49ce497cacbb6e0f8c9aabd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
129.4MB

MD5
9e8bfe43b7d5b8a9389beb0657b9287a

SHA1
baaf7be5b52319cde8ad04b29d2284b4ce577fe9

SHA256
7d38fb4cfed52d7eacc80d8bcbfb98fa54fb232e6acebca73780bb5f7ecd2e71

SHA512
4f00c355b4ac9ca77f561a5fc9008affa156df2c99b2d7461c93d8a7529154fbe294c13e6f27b084bdcf6bacaba592aadc4ac4c2adacfc29a6795c1416038eaf

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
46.6MB

MD5
925bd9b852f1d26ef99efee4fd5184fa

SHA1
39af7cc98e1af4742a8221b65a1c679219b5e8f5

SHA256
14ee00700ac99b70f74f28b2c4e8a17550e6a85d878ffa66c800af926c1db4a2

SHA512
be8252c07140a7dc69054fd2dfbf984bf49a38e11e5601136eafd5f163f0ab787e42af25b227c24674958273b51c4b6e2e98b608e92caa5aabae4ff515dcbd4c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
140.4MB

MD5
1caa8d623507dedc4352e5cbd438bc67

SHA1
c5e29a22396d042fae2204bb566ab9c37467119e

SHA256
a241cfe6ffda485846b364c15746d88efa109976d26037f53429ff61c69dd7a2

SHA512
58fcdee85f79d6a8a3a2a4af7135f9f7bf1a537ecd1d2c4057654880185aff9680fce209d916df9dee2fd4616b31ae7ddf486d014885dbe451ad751dfc376457

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
139.7MB

MD5
25a195ff3b433e1ece921edf3a714bb7

SHA1
d7ee98d0421bb8040f4a19ff8cfbadb24125164c

SHA256
228cefaf651e82614e7a01380373215ec2e64e3281d88e5897b63a55f0408fae

SHA512
de08c3401908aaf9dc63943cceda7096d6780a340a8f59fbca366f9b86de8d182918f91d169bf36514b11753f0b34c01765551f9355f57cb0504ef42386ef328

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
134.9MB

MD5
bb4c5bad2556daa424ddce039527d1ad

SHA1
b8b7c854e7164dcbcaacb361dad8a73d650a89ac

SHA256
f10b3612c0c6c867a0bd8f44fa39e84b8a292da0dc5baf18320f867817fa6ecf

SHA512
08fd62810a6e224908fe4d75bd73e5d7169a663bc43f90c2d3dc275681f0ee4ab1a88191b5660a46ebca669f13e297755828b441540bd2c07f17875f042f4917

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
139.4MB

MD5
221a27429f5bc1e81bbc9c19b492a53c

SHA1
8f6850be8ee43a9b88acf3df7f8cf1434f5ad5bf

SHA256
301705e36fd6ea2b9a399cfe21bf605bd8d81b65591383ececb6c3e67ae39738

SHA512
dd0063df14bbc22965aa15bb37a73c7b2529d8df6bdbde3fe9757da63be958f33f109226522b828b1d06720261a337be7f45a56ec412ad5c4bb69d2975c032d7

Download Submit
memory/536-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/536-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1408-69-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-71-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-70-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-56-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1564-86-0x000000006F140000-0x000000006F6EB000-memory.dmp

Filesize
5.7MB

Download
memory/1564-93-0x000000006F140000-0x000000006F6EB000-memory.dmp

Filesize
5.7MB

Download
memory/1896-65-0x0000000000EE0000-0x0000000001654000-memory.dmp

Filesize
7.5MB

Download
memory/1896-66-0x0000000006690000-0x0000000006A30000-memory.dmp

Filesize
3.6MB

Download
memory/1896-75-0x0000000005600000-0x0000000005772000-memory.dmp

Filesize
1.4MB

Download